Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 25.2.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiCNAPP CLI Reference

    CLI Policy Management

    CLI Policy Management

    Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the FortiCNAPP Console.

    Policies also facilitate the scheduled execution of a FortiCNAPP query.

    Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.

    FortiCNAPP offers a set of default LQL policies that are available in your account.

    Limitations:

    • The maximum number of records that each policy will return is 1000

    • The maximum number of API calls is 120 per hour for on-demand LQL query executions

    To view all the policies in your FortiCNAPP account.

    lacework policy ls

    • To show only enabled policies, use the --enabled flag

    • To show only policies with the alert functionality enabled, use the --alert_enabled flag

    • To filter policies by severity threshold (critical, high, medium, low, info), use the --severity flag

    • To filter policies by tag, use the --tag flag

    To list all tags associated with policies.

    lacework policy list-tags

    To view more details about a single policy.

    lacework policy show <policy_id>

    To view the LQL query associated with the policy, use the query ID.

    lacework query show <query_id>
    Note

    LQL syntax may change.

    To delete a policy.

    lacework policy delete <policy_id>

    Create a Policy

    There are multiple ways you can create a policy:

    • Type the policy into your default editor (via $EDITOR)

    • Pipe the policy to the FortiCNAPP CLI command (via $STDIN)

    • From a local file on disk using the flag --file

    • From a URL using the flag --url

    There are two formats you can use to define a policy:

    • Javascript Object Notation (JSON)

    • YAML Ain't Markup Language (YAML)

    To launch your default editor and create a new policy.

    lacework policy create

    The following attributes are required:

    ---
title: My Policy
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: Alert_Profile_ID.Alert_Template_Name
evalFrequency: Daily
queryId: MyQuery
severity: high
description: My Policy Description
remediation: My Policy Remediation

    To view all LQL queries in your FortiCNAPP account.

    lacework query ls

    For more information about queries, see LQL Queries.

    Update a Policy

    There are multiple ways you can update a policy:

    • Type the policy into your default editor (via $EDITOR)

    • Pipe the policy to the FortiCNAPP CLI command (via $STDIN)

    • From a local file on disk using the flag --file

    • From a URL using the flag --url

    There are two formats you can use to define a policy:

    • Javascript Object Notation (JSON)

    • YAML Ain't Markup Language (YAML)

    To launch your default editor to update a policy.

    lacework policy update <policy_id>

    A policy identifier specifed via command argument always takes precedence over a policy identifer specified via payload.

    Previous
    Next

    CLI Policy Management

    CLI Policy Management

    Policies add annotated metadata to queries for improving the context of alerts, reports, and information displayed in the FortiCNAPP Console.

    Policies also facilitate the scheduled execution of a FortiCNAPP query.

    Queries let you interactively request information from specified curated datasources. Queries have a defined structure for authoring detections.

    FortiCNAPP offers a set of default LQL policies that are available in your account.

    Limitations:

    • The maximum number of records that each policy will return is 1000

    • The maximum number of API calls is 120 per hour for on-demand LQL query executions

    To view all the policies in your FortiCNAPP account.

    lacework policy ls

    • To show only enabled policies, use the --enabled flag

    • To show only policies with the alert functionality enabled, use the --alert_enabled flag

    • To filter policies by severity threshold (critical, high, medium, low, info), use the --severity flag

    • To filter policies by tag, use the --tag flag

    To list all tags associated with policies.

    lacework policy list-tags

    To view more details about a single policy.

    lacework policy show <policy_id>

    To view the LQL query associated with the policy, use the query ID.

    lacework query show <query_id>
    Note

    LQL syntax may change.

    To delete a policy.

    lacework policy delete <policy_id>

    Create a Policy

    There are multiple ways you can create a policy:

    • Type the policy into your default editor (via $EDITOR)

    • Pipe the policy to the FortiCNAPP CLI command (via $STDIN)

    • From a local file on disk using the flag --file

    • From a URL using the flag --url

    There are two formats you can use to define a policy:

    • Javascript Object Notation (JSON)

    • YAML Ain't Markup Language (YAML)

    To launch your default editor and create a new policy.

    lacework policy create

    The following attributes are required:

    ---
title: My Policy
enabled: false
policyType: Violation
alertEnabled: false
alertProfile: Alert_Profile_ID.Alert_Template_Name
evalFrequency: Daily
queryId: MyQuery
severity: high
description: My Policy Description
remediation: My Policy Remediation

    To view all LQL queries in your FortiCNAPP account.

    lacework query ls

    For more information about queries, see LQL Queries.

    Update a Policy

    There are multiple ways you can update a policy:

    • Type the policy into your default editor (via $EDITOR)

    • Pipe the policy to the FortiCNAPP CLI command (via $STDIN)

    • From a local file on disk using the flag --file

    • From a URL using the flag --url

    There are two formats you can use to define a policy:

    • Javascript Object Notation (JSON)

    • YAML Ain't Markup Language (YAML)

    To launch your default editor to update a policy.

    lacework policy update <policy_id>

    A policy identifier specifed via command argument always takes precedence over a policy identifer specified via payload.

    Previous
    Next